U.N. Special Rapporteur: Governments Must Not “Backdoor” Encryption for Spying

A landmark new United Nations report is “the first attempt to create a legal framework for digital security,” David Kaye, the U.N.’s special rapporteur on freedom of expression, told The Intercept in an interview Thursday.

The report is urging governments not to ban or mandate surveillance “backdoors” in encryption and anonymity tools that are used to protect the privacy of communications.

The 18-page document, published Thursday, was authored by Kaye and comes amid efforts to crack down on encryption technology in the United States, with federal agencies claiming that encryption is hampering their ability to investigate criminals and terrorists.

“It’s about the legal framework that human rights law establishes for freedom of expression,” Kaye said. “Hopefully advocates will make use of it when cases around privacy and freedom of expression get litigated.”

His report says that “discussions of encryption and anonymity have all too often focused only on their potential use for criminal purposes in times of terrorism. But emergency situations do not relieve States of the obligation to ensure respect for international human rights law.”

It recommends that:

States should promote strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online. Legislation and regulations protecting human rights defenders and journalists should also include provisions enabling access and providing support to use the technologies to secure their communications.

States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows.

Human rights group Access said in a statement that it welcomed the report, calling it a “landmark” piece of work that showed encryption was “fundamental” for exercising freedom of expression. “It’s a sober rebuke of baseless fear-mongering from those who say encryption only helps criminals and terrorists,” said Access’s senior policy counsel Peter Micek.

Encryption works by scrambling communications so that if they are intercepted, they cannot be read or listened to, unless the encryption is broken or circumvented. It is routinely used to secure online banking and shopping transactions and increasingly to protect the privacy of instant messages, emails and phone calls. Tools used to browse the Internet anonymously — such as Tor or Virtual Private Networks — mask your computer’s unique IP address, making it harder for law enforcement, intelligence agencies, advertisers and Internet service providers to track your online activity.

Since the first surveillance revelations from National Security Agency whistleblower Edward Snowden in 2013, more companies have adopted encryption to secure their customers’ data and communications. Last year, for instance, the messaging app WhatsApp announced that it was implementing strong encryption for its more than 600 million users. Moreover, in the aftermath of the Snowden leaks, more people reportedly started using anonymity tools like Tor to browse the Web.

The boom in encryption has sparked a panicked response from governments and law enforcement agencies. The FBI has attacked companies for beefing up their usage of encryption because “bad guys” can use it to conceal their nefarious activities. And the U.K. prime minister has appeared to agree, suggesting he would be open to some sort of encryption ban.

But Kaye, the U.N. free expression rapporteur, told The Intercept that he wants to see more encryption, not less. He says he would like to see a transition towards an “encrypted Internet,” with encryption built into websites, email providers and other communication providers by default. He says governments should only be allowed to decrypt communications on a “targeted, case-by-case basis” when approved by a court, subject to domestic and international law.

Encryption is “not about hiding, it’s about exercising the right that you have under human rights law,” said Kaye, who is also the director of the International Justice Clinic at the University of California, Irvine. “If you create an Internet that is encrypted and is secure, you are giving people a default setting of privacy which advances their ability to do research, to exchange information, to do all the things that they are guaranteed under human rights law. That move is critical.”

Kaye says he solicited contributions to his report from all 193 U.N. member states, including from governments in the the Five Eyes surveillance alliance — the United States, United Kingdom, Canada, Australia and New Zealand. Documents from Snowden have previously shown how spy agencies in Five Eyes countries have worked in secret to circumvent and attack widely used encryption and anonymity tools.

About a dozen government representatives sent replies to Kaye, including U.S. Ambassador to the U.N. Pamela Hamamoto, who asserted that the United States was committed to firmly supporting “the development and robust adoption of strong encryption.” Other Five Eyes countries did not respond.

Kaye is due to formally present his report to the U.N.’s human rights council (pictured above) on June 17.

Photo: Valentin Flauraud/Keystone/AP

We depend on the support of readers like you to help keep our nonprofit newsroom strong and independent. Join Us

Contact the author:

I’ve been moving toward a more secure envirnonment but trying to secure a Windows box is like Sysiphus rolling his rock up the hill.

The email thing is very troubling. I get emails from Merchants, Banks, Credit Cards, utility bills, HealthCare related stuff etc, and they are all basically post cards. Anyone along the route to my Google email account can read them. And of course Googe scans them. Virtually every app seems to leak private information media players, pdf readers, browsers, even security apps! I use Hushmail now and I can send private emails, but the mail I actually get is not sent privately.

State of play:
Playing with Cloudfogger to secure my online storage. It’s a good idea. The reviews say it is dangerous. so maybe I’ll stick with TrueCrypt volumes on DropBox.

Using Kleopatra and Gpg4Win for securing emails and local encryption.

Using Private Internet Acess for VPN, but it randomly drops coverage.

I’ve given up trying to use a System Wide Proxy. Windows 8.1 seems to be insecure by design.

I have an old copy of TrueCrypt and a copy of the new VeraCrypt (a TrueCrypt clone) for encrypting drives and volumes.

Using KeePass and LastPass for generating and using passwords.

Using Eraser for secure erase and it also erases unused bits diskwide about once a week.

I actually, turned off NoScript. It was more trouble than it was worth. So. I’l wait for SmartNoScript.

But the email thing is still annoying. We need Banks and Merchants etc. to start using a (SMTA Secure Mail Transport Agent) based on Public Key technology. For me it would be a reason to switch from one Merchant to another, from Amazon to Walmart for example. If one used secure email and kept my information private and the other did not.

I’m clearly missing something. Wouldn’t outlawing encryption basically bankrupt Amazon.com (and all other web-based shopping services)? I mean, who would use a credit card online anymore if there was no encryption or if encryption was breakable by the “good” guys (which the bad guys would break in a matter of hours, I’m sure)? Online banking would go the way of the passenger pigeon and people would start using real money and going to shopping malls again. So, what am I missing?

If you really need secrecy, don’t talk in public places or use public channels. This has been true ever since governments started to use informers and listeners, probably about 7000 years ago. Still true, though the sphere of “public channels” is a lot wider now than it was in Babylon.

The issue that makes this WORSE, is that Australia and the UK are now planning to criminalize, with significant jail time, the informing OR teaching, even at Universities, ANYTHING that informs students or others what, how and why encryption is !! This ‘illegal’ training doesn’t even scratch on HOW encryption is used… This is LUNACY RUN AMOCK !!

Actually I found that so preposterously crazy and extreme (and unnecessarily so) that I thought you had bent the truth quite a bit, but, no, you were right … This is LUNACY RUN AMOCK !!
~
Australia tries to ban crypto research – by ACCIDENT
Academics could risk JAIL under defence trade laws starting in May
14 Jan 2015 at 21:04, Richard Chirgwin
~
theregister.co.uk/2015/01/14/australia_tries_to_ban_crypto_research_by_accident/
~
Satyagraha,
RCL

This bit is quite scary: “Under the proposed new powers, the spy agencies will be able to obtain a warrant from the Home Secretary that will oblige an internet companies to break down its encryption protection on a suspect and allow access to his or her communications.”

Gotta love that Corney claim that the “post-Snowden pendulum has swung too far”, by which he means, a couple of tech companies didn’t include a backdoor they weren’t legally required to, so now legislation has to be passed to ban encryption for the first time. Some pendulum.

The US has thumbed its nose at anything that comes out of the UN, that they don’t agree with, or somehow won’t be applied to the US. We are The Superpower, and we are acting like it. We ignore UN resolutions and nothing happens to us. Unfortunately, the UN hasn’t lived up to the promise of all the good things it could have accomplished. It is in effect, a paper tiger and this report will be ignored, as usual. The press won’t even report on the report.

But sometimes it works well when the US want to bash the Russians. Seems they got their sticky fingers on some important members of the UN.
But then,… no wonder if they snoop on every person, country or institution as they like, they shurely find some dirt to use for their “interests”.
Like the actual FIFA coup… it only works when the next worldcup is planned for russia… I wonder what would have happened if it was planned to be in the US. They probably would roll out the red carpet for the corrupt Mr. Blatter ;-)

And thats the thing … how can a super power act for decades as the biggest mobster of all mankind ? Torture, rendition, blackmail, bribing,… they even create false proof to have a reason to start a war !

Well,… my money is on the next meteorite, the supervolcano or the hackers who will crash the money system to end this misuse of powers ;-)

The public will do nothing… they just obey and don’t see the evil that manipulates them. Because they are just stupid naked monkeys like they were always.

And make shure the TV and the smartphones distract you from seeing the truth behind your personal curtains. Or put your hope in an imaginable friend and saviour called god… but please don’t act y yourself… obey, goto work and let the “big boys” do their thing, right ? They know what they do.. as they play the game for centuries… problem is, … they play and you are the chips. Nothing less, nothing more !

When I watch some old movies like 007, I sometimes start to like the super-villains more and more… destroy the world, wipe out mankind,… maybe thats the best sollution for all. The world seems to need a real reset. Otherwise I think nothing will change. Not with this overpayed bastards on the top (aka the 10%) who just give their job and wealth on to the next in line. Nothing o gain for us 90% in that game. You only have 2 options (which are not even your choice): You are born as one of THEM, or you win big in the lottery. Both possibilities have a very minimal chance, right ? And everybody else just get born, get trained to work and “function”, work his ass off and die. If you’re OK with that system, pls go on with your sorrow life. Don’t bother anymore… don’t even think about it,… its all as it should be, right ?

Unfortunately some Dictat… aaahh, Countries are ignoring UN actions for decades,… or give their Veto when a friendly Dict,…. aaah, Country is “endangered”, right ?

The keywords that get in my mind are “Torture” “Killing without proper cause or court”, “Unlawful Renditions”, “Closing people up indefinately” (even whole states), or like in this case, snooping on the rest of the world without any kind of legal basic or global consens.

And that’s the problem ! Some idiot maniacs just do as they pleased ;-)

Unfortunately there is no law against that ;-(

So “The People” have to fix that in another way…or obey, as they are told. Seems the choice of the people is made, so they can go on beeing slaves and play with their spyphones. Every other countermeasures would require a moral stand and some balls to do ! But hey,… even the Nazis had some excuses like Law, Judges,Elections,… so everything is fine and by the books, right ?

Wow, a special rapporteur writes with authority on internet rights and security and when it comes to limitations on the private sector, only 1 of 4 links works without hacking around to figure out how to get to the documents. Doesn’t exactly inspire confidence about the expertise with which the document was written.

The document does a very poor job of addressing threats to anonymity by the private sector. I am regarded by many who know my internet practices as totally overly paranoid, but I have extremely legitimate and concrete reasons for my actions, and nearly all of them stem from breaches to my privacy and anonymity by large internet corporations. In particular, this special rapporteur’s document claims that real name registration practices, long data retention practices, and (presumably the inversion of) metadata are threats to anonymity and therefore to freedom of expression. Where exactly does that leave a company like Google, which refuses to implement Safe Harbor practices where they are not required by law (they are only required in the EU pretty much), and which pools all of the accounts of anyone on its system into a single account, making itself the largest and most global repository of a directory for decoding pseudonyms to real names in the world? Google simultaneously frequently interpreting its own right to read email accounts of its gmail users (which the rapporteur is technically against) as the right to read anything on the machines of anyone who has an account with Google under whatever name and for whatever purpose.

The threats to my privacy and anonymity are almost entirely from non-state actors. As for whether or not an encryption scheme could be created that allowed access on a warrant basis but had no backdoor? Only “experts” with a vested interest in their own methods and means for encryption would claim it wasn’t possible. But then the same type of expert believes that machine intelligence will pass human intelligence by 2035.

If encryption protocols are intentionally weakened so that the “good guys” can access encrypted data then it’s only a matter of time until the “bad guys” also have access to those same back doors. This is beyond stupid and short-sighted.

This is Security 101. There’s a no-no in computer security called “security by obscurity.” Basically, if security depends on others not having special know-how, that’s not real security. Backdoors can be viewed as a type of security by obscurity.

Security via Obscurity is most assuredly not a “no-no”. Your password is obscure. The key that opens your door to get into your house? Also obscure. Obscurity is useful. I think you’re confusing the ADDITION of obscurity with the use of obscurity to SUBSTITUTE for security.

Obscurity is a VERY helpful thing in the security field. Let’s say you have a labyrinth (which we can call your file system). Inside of that labyrinth are a few very important, private documents. The average attacker with a few minutes on a box won’t have time to know where to look. This is obscurity. Now if you publish the list of where your files are online and what they all are, then you remove the protection of obscurity. Like a firesafe, nothing is *really* “unhackable” — what you’re really trying to do is make it as hard as possible to get to the good stuff. And obscurity goes a LONG way towards making that possible.